linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-01-24 06:52:14 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add nftables-0.9.2. Fixes #4620.

Browse Source 
Add firewalld-0.7.2.
Add libnftnl-1.1.4.
Add libmnl-1.0.4.
Add decorator-4.4.0.
Add python-slip-0.6.5.
Update to blfs-bootscripts-20191025.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22301 af4574ff-66df-0310-9fd7-8a98e5e911e0
This commit is contained in:
DJ Lucas 2019-10-25 06:28:45 +00:00
parent 6914a41786
commit 14c0be2ff6
14 changed files with 2196 additions and 725 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
general.ent
View File

@ -1,12 +1,12 @@
<!-- $LastChangedBy$ $Date$ -->
<!ENTITY day "24"> <!-- Always 2 digits -->
<!ENTITY day "25"> <!-- Always 2 digits -->
<!ENTITY month "10"> <!-- Always 2 digits -->
<!ENTITY year "2019">
<!ENTITY copyrightdate "2001-&year;">
<!ENTITY copyholder "The BLFS Development Team">
<!ENTITY version "&year;-&month;-&day;">
<!ENTITY releasedate "October 24th, &year;">
<!ENTITY releasedate "October 25th, &year;">
<!ENTITY pubdate "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
<!ENTITY blfs-version "svn"> <!-- svn|[release #] -->
<!ENTITY lfs-version "development"> <!-- x.y|development -->
@ -82,7 +82,7 @@
<!ENTITY lfs-vim-version "7.4">
<!-- End LFS versions -->
<!ENTITY blfs-bootscripts-version "20190908">
<!ENTITY blfs-bootscripts-version "20191025">
<!ENTITY systemd-units-version "20180105">

117
general/prog/decorator.xml Normal file
View File

@ -0,0 +1,117 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY decorator-download-http "https://files.pythonhosted.org/packages/source/d/decorator/decorator-&decorator-version;.tar.gz">
<!ENTITY decorator-download-ftp " ">
<!ENTITY decorator-md5sum "a565a98581c0d110bc247323e89df9b1">
<!ENTITY decorator-size "36 KB">
<!ENTITY decorator-buildsize "348 KB">
<!ENTITY decorator-time "0.1 SBU">
]>
<!-- Begin decorator -->
<sect2 id="decorator" xreflabel="decorator-&decorator-version;">
<title>decorator-&decorator-version;</title>
<indexterm zone="decorator">
<primary sortas="a-decorator">decorator</primary>
</indexterm>
<sect3 role="package">
<title>Introduction to decorator Module</title>
<para>
The goal of the <application>decorator</application> module is to make
it easy to define signature-preserving function decorators and
decorator factories.
</para>
&lfs90_checked;
<bridgehead renderas="sect4">Package Information</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>
Download (HTTP): <ulink url="&decorator-download-http;"/>
</para>
</listitem>
<listitem>
<para>
Download (FTP): <ulink url="&decorator-download-ftp;"/>
</para>
</listitem>
<listitem>
<para>
Download MD5 sum: &decorator-md5sum;
</para>
</listitem>
<listitem>
<para>
Download size: &decorator-size;
</para>
</listitem>
<listitem>
<para>
Estimated disk space required: &decorator-buildsize;
</para>
</listitem>
<listitem>
<para>
Estimated build time: &decorator-time;
</para>
</listitem>
</itemizedlist>
<para condition="html" role="usernotes">User Notes:
<ulink url="&blfs-wiki;/decorator"/>
</para>
</sect3>
<sect3 role="installation">
<title>Installation of decorator</title>
<para>Install decorator with the following commands:</para>
<screen><userinput>python3 setup.py build</userinput></screen>
<para>
This package does not come with a test suite.
</para>
<para>
To install the decorator package with the following command as the
<systemitem class="username">root</systemitem> user:
</para>
<screen role="root"><userinput>python3 setup.py install --optimize=1</userinput></screen>
</sect3>
<sect3 role="content">
<title>Contents</title>
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>
None
</seg>
<seg>
/usr/lib/python&python3-majorver;/site-packages/decorator/decorator-&decorator-version;-py3.7.egg-info
</seg>
<seg>
/usr/lib/python&python3-majorver;/site-packages/decorator
</seg>
</seglistitem>
</segmentedlist>
</sect3>
</sect2>
<!-- End decorator -->

16
general/prog/python-modules.xml
View File

@ -34,6 +34,11 @@
<xref linkend="dbus-python"/>
</para>
</listitem>
<listitem>
<para>
<xref linkend="decorator"/>
</para>
</listitem>
<listitem>
<para>
<xref linkend="docutils"/>
@ -114,6 +119,11 @@
<xref linkend="Mako"/>
</para>
</listitem>
<listitem>
<para>
<xref linkend="python-slip"/>
</para>
</listitem>
<listitem>
<para>
<xref linkend="scour"/>
@ -135,6 +145,9 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="dbus-python.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="decorator.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="docutils.xml"/>
@ -191,6 +204,9 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="mako.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="python-slip.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="pyyaml.xml"/>

127
general/prog/python-slip.xml Normal file
View File

@ -0,0 +1,127 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY python-slip-download-http "https://github.com/nphilipp/python-slip/releases/download/python-slip-&python-slip-version;/python-slip-&python-slip-version;.tar.bz2">
<!ENTITY python-slip-download-ftp " ">
<!ENTITY python-slip-md5sum "28ae5f93853466c44ec96706ba2a1eb4">
<!ENTITY python-slip-size "28 KB">
<!ENTITY python-slip-buildsize "612 KB">
<!ENTITY python-slip-time "0.1 SBU">
]>
<!-- Begin python-slip -->
<sect2 id="python-slip" xreflabel="python-slip-&python-slip-version;">
<title>python-slip-&python-slip-version;</title>
<indexterm zone="python-slip">
<primary sortas="a-python-slip">python-slip</primary>
</indexterm>
<sect3 role="package">
<title>Introduction to python-slip Module</title>
<para>
<application>python-slip</application> provides convenience, extension
and workaround code for Python and some Python modules.
</para>
&lfs90_checked;
<bridgehead renderas="sect4">Package Information</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>
Download (HTTP): <ulink url="&python-slip-download-http;"/>
</para>
</listitem>
<listitem>
<para>
Download (FTP): <ulink url="&python-slip-download-ftp;"/>
</para>
</listitem>
<listitem>
<para>
Download MD5 sum: &python-slip-md5sum;
</para>
</listitem>
<listitem>
<para>
Download size: &python-slip-size;
</para>
</listitem>
<listitem>
<para>
Estimated disk space required: &python-slip-buildsize;
</para>
</listitem>
<listitem>
<para>
Estimated build time: &python-slip-time;
</para>
</listitem>
</itemizedlist>
<bridgehead renderas="sect4">python-slip Dependencies</bridgehead>
<bridgehead renderas="sect5">Required</bridgehead>
<para role="required">
<xref linkend="dbus-python"/> and
<xref linkend="decorator"/>
</para>
<para condition="html" role="usernotes">User Notes:
<ulink url="&blfs-wiki;/python-slip"/>
</para>
</sect3>
<sect3 role="installation">
<title>Installation of python-slip</title>
<para>
To build the <application>python-slip</application> module, run the
following commands:
</para>
<screen><userinput>sed 's/@VERSION@/0.6.5/' setup.py.in > setup.py &amp;&amp;
python3 setup.py build</userinput></screen>
<para>
To install the <application>python-slip</application> module,
run the following command as the
<systemitem class="username">root</systemitem> user:
</para>
<screen role="root"><userinput>python3 setup.py install --optimize=1</userinput></screen>
</sect3>
<sect3 role="content">
<title>Contents</title>
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>
None
</seg>
<seg>
usr/lib/python&python3-majorver;/site-packages/python-slip-&python-slip-version;-py&python3-majorver;.egg-info
and
usr/lib/python&python3-majorver;/site-packages/python-slip.dbus-&python-slip-version;-py&python3-majorver;.egg-info
</seg>
<seg>
/usr/lib/python&python3-majorver;/site-packages/python-slip
</seg>
</seglistitem>
</segmentedlist>
</sect3>
</sect2>
<!-- End python-slip -->

28
introduction/welcome/changelog.xml
View File

@ -41,6 +41,34 @@
</itemizedlist>
</listitem>
-->
<listitem>
<para>October 25th, 2019</para>
<itemizedlist>
<listitem>
<para>[dj] - Add nftables-0.9.2. Fixes
<ulink url="&blfs-ticket-root;4620">#4620</ulink>.</para>
</listitem>
<listitem>
<para>[dj] - Add firewalld-0.7.2.</para>
</listitem>
<listitem>
<para>[dj] - Add libnftnl-1.1.4.</para>
</listitem>
<listitem>
<para>[dj] - Add libmnl-1.0.4.</para>
</listitem>
<listitem>
<para>[dj] - Add decorator-4.4.0.</para>
</listitem>
<listitem>
<para>[dj] - Add python-slip-0.6.5.</para>
</listitem>
<listitem>
<para>[dj] - Update to blfs-bootscripts-20191025.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>October 24th, 2019</para>
<itemizedlist>

152
networking/netlibs/libmnl.xml Normal file
View File

@ -0,0 +1,152 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY libmnl-download-http "https://netfilter.org/projects/libmnl/files/libmnl-&libmnl-version;.tar.bz2">
<!ENTITY libmnl-download-ftp " ">
<!ENTITY libmnl-md5sum "be9b4b5328c6da1bda565ac5dffadb2d">
<!ENTITY libmnl-size "296 KB">
<!ENTITY libmnl-buildsize "2.9 MB">
<!ENTITY libmnl-time "less than 0.1 SBU">
]>
<sect1 id="libmnl" xreflabel="libmnl-&libmnl-version;">
<?dbhtml filename="libmnl.html"?>
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<title>libmnl-&libmnl-version;</title>
<indexterm zone="libmnl">
<primary sortas="a-libmnl">libmnl</primary>
</indexterm>
<sect2 role="package">
<title>Introduction to libmnl</title>
<para>
The <application>libmnl</application> library provides a minimalistic
user-space library oriented to Netlink developers. There are a lot of
common tasks in parsing, validating, constructing of both the Netlink
header and TLVs that are repetitive and easy to get wrong. This library
aims to provide simple helpers that allows you to re-use code and to
avoid re-inventing the wheel.
</para>
&lfs90_checked;
<bridgehead renderas="sect3">Package Information</bridgehead>
<itemizedlist spacing='compact'>
<listitem>
<para>
Download (HTTP): <ulink url="&libmnl-download-http;"/>
</para>
</listitem>
<listitem>
<para>
Download (FTP): <ulink url="&libmnl-download-ftp;"/>
</para>
</listitem>
<listitem>
<para>
Download MD5 sum: &libmnl-md5sum;
</para>
</listitem>
<listitem>
<para>
Download size: &libmnl-size;
</para>
</listitem>
<listitem>
<para>
Estimated disk space required: &libmnl-buildsize;
</para>
</listitem>
<listitem>
<para>
Estimated build time: &libmnl-time;
</para>
</listitem>
</itemizedlist>
<para condition="html" role="usernotes">User Notes:
<ulink url="&blfs-wiki;/libmnl"/>
</para>
</sect2>
<sect2 role="installation">
<title>Installation of libmnl</title>
<para>
Install <application>libmnl</application> by running the following
commands:
</para>
<screen><userinput>./configure --prefix=/usr &amp;&amp;
make</userinput></screen>
<para>
This package does not come with a test suite.
</para>
<para>
Now, as the <systemitem class="username">root</systemitem> user:
</para>
<screen role="root"><userinput>make install &amp;&amp;
mv /usr/lib/libmnl.so.* /lib &amp;&amp;
ln -sfv ../../lib/$(readlink /usr/lib/libmnl.so) /usr/lib/libmnl.so</userinput></screen>
</sect2>
<sect2 role="commands">
<title>Command Explanations</title>
<para>
<command>mv -v /usr/lib/libmnl.so.* ...</command>: Move shared
libraries into /lib so they are available before /usr is mounted.
</para>
</sect2>
<sect2 role="content">
<title>Contents</title>
<segmentedlist>
<segtitle>Installed Library</segtitle>
<seglistitem>
<seg>
libmnl.so
</seg>
</seglistitem>
</segmentedlist>
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
<varlistentry id="libmnl-lib">
<term><filename class="libraryfile">libmnl.so</filename></term>
<listitem>
<para>
provides functions for parsing, validating, constructing of both
the Netlink header and TLVs.
</para>
<indexterm zone="libmnl libmnl-lib">
<primary sortas="c-libmnl">libmnl.so</primary>
</indexterm>
</listitem>
</varlistentry>
</variablelist>
</sect2>
</sect1>

178
networking/netlibs/libnftnl.xml Normal file
View File

@ -0,0 +1,178 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY libnftnl-download-http "https://netfilter.org/projects/libnftnl/files/libnftnl-&libnftnl-version;.tar.bz2">
<!ENTITY libnftnl-download-ftp " ">
<!ENTITY libnftnl-md5sum "bf1a51c9cad0f0cb12b6811ce1e0dd90">
<!ENTITY libnftnl-size "360 KB">
<!ENTITY libnftnl-buildsize "8.6 MB">
<!ENTITY libnftnl-time "less than 0.1 SBU">
]>
<sect1 id="libnftnl" xreflabel="libnftnl-&libnftnl-version;">
<?dbhtml filename="libnftnl.html"?>
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<title>libnftnl-&libnftnl-version;</title>
<indexterm zone="libnftnl">
<primary sortas="a-libnftnl">libnftnl</primary>
</indexterm>
<sect2 role="package">
<title>Introduction to libnftnl</title>
<para>
The <application>libnftnl</application> library provides a low-level
netlink programming interface (API) to the in-kernel nf_tables subsystem.
</para>
&lfs90_checked;
<bridgehead renderas="sect3">Package Information</bridgehead>
<itemizedlist spacing='compact'>
<listitem>
<para>
Download (HTTP): <ulink url="&libnftnl-download-http;"/>
</para>
</listitem>
<listitem>
<para>
Download (FTP): <ulink url="&libnftnl-download-ftp;"/>
</para>
</listitem>
<listitem>
<para>
Download MD5 sum: &libnftnl-md5sum;
</para>
</listitem>
<listitem>
<para>
Download size: &libnftnl-size;
</para>
</listitem>
<listitem>
<para>
Estimated disk space required: &libnftnl-buildsize;
</para>
</listitem>
<listitem>
<para>
Estimated build time: &libnftnl-time;
</para>
</listitem>
</itemizedlist>
<bridgehead renderas="sect3">libnftnl Dependencies</bridgehead>
<bridgehead renderas="sect4">Required</bridgehead>
<para role="required">
<xref linkend="libmnl"/>
</para>
<para condition="html" role="usernotes">User Notes:
<ulink url="&blfs-wiki;/libnftnl"/>
</para>
</sect2>
<sect2 role="kernel">
<title>Kernel Configuration</title>
<para>
Enable the following options in the kernel configuration and recompile the
kernel if necessary:
</para>
<screen><literal>[*] Networking support [CONFIG_NET] ---&gt;
Networking options ---&gt;
[*] Network packet filtering framework (Netfilter) [CONFIG_NETFILTER] ---&gt;
Core Netfilter Configuration ---&gt;
&lt;*&gt; Netfilter nf_tables support [CONFIG_NF_TABLES]</literal></screen>
</sect2>
<sect2 role="installation">
<title>Installation of libnftnl</title>
<para>
Install <application>libnftnl</application> by running the following
commands:
</para>
<screen><userinput>./configure --prefix=/usr &amp;&amp;
make</userinput></screen>
<para>
This package does not come with a test suite.
</para>
<para>
Now, as the <systemitem class="username">root</systemitem> user:
</para>
<screen role="root"><userinput>make install &amp;&amp;
mv /usr/lib/libnftnl.so.* /lib &amp;&amp;
ln -sfv ../../lib/$(readlink /usr/lib/libnftnl.so) /usr/lib/libnftnl.so</userinput></screen>
</sect2>
<sect2 role="commands">
<title>Command Explanations</title>
<para>
<command>mv -v /usr/lib/libnftnl.so.* ...</command>: Move shared
libraries into /lib so they are available before /usr is mounted.
</para>
</sect2>
<sect2 role="content">
<title>Contents</title>
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>
None
</seg>
<seg>
libnftnl.so
</seg>
<seg>
None
</seg>
</seglistitem>
</segmentedlist>
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
<varlistentry id="libnftnl-lib">
<term><filename class="libraryfile">libnftnl.so</filename></term>
<listitem>
<para>
provides a netlink interface to the in-kernel nf_tables subsystem.
</para>
<indexterm zone="libnftnl libnftnl-lib">
<primary sortas="c-libnftnl">libnftnl.so</primary>
</indexterm>
</listitem>
</varlistentry>
</variablelist>
</sect2>
</sect1>

2
networking/netlibs/netlibs.xml
View File

@ -28,6 +28,8 @@ $Date$
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="glib-networking.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="ldns.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libevent.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libmnl.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libnftnl.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libnl.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libnsl.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libpcap.xml"/>

6
packages.ent
View File

@ -11,6 +11,7 @@
<!ENTITY cryptsetup-version "&cryptsetup-minor;.6">
<!ENTITY cyrus-sasl-version "2.1.27">
<!ENTITY gnupg2-version "2.2.17">
<!ENTITY firewalld-version "0.7.2">
<!ENTITY gnutls-version "3.6.10">
<!ENTITY gpgme-version "1.13.1">
<!ENTITY haveged-version "1.9.2">
@ -23,6 +24,7 @@
<!ENTITY make-ca-version "1.5">
<!ENTITY mitkrb-major-version "1.17">
<!ENTITY mitkrb-version "1.17">
<!ENTITY nftables-version "0.9.2">
<!ENTITY nettle-version "3.5.1">
<!ENTITY nss-minor-version "47">
@ -515,6 +517,7 @@ to avoid building libxml2 twice, which is slow with all deps -->
<!ENTITY docutils-version "0.15">
<!ENTITY dbus-python-version "1.2.12">
<!-- <!ENTITY funcsigs-version "1.0.2"> -->
<!ENTITY decorator-version "4.4.0">
<!ENTITY Jinja2-version "2.10.3">
<!-- libxml2 for Python2 shares the version of libxml2 -->
<!ENTITY lxml-version "4.4.1">
@ -533,6 +536,7 @@ to avoid building libxml2 twice, which is slow with all deps -->
<!ENTITY PyYAML-version "5.1.2">
<!ENTITY scour-version "0.37">
<!ENTITY six-version "1.12.0">
<!ENTITY python-slip-version "0.6.5">
<!-- <!ENTITY setuptools-version "30.2.0"> -->
<!-- Part IV -->
@ -577,6 +581,8 @@ to avoid building libxml2 twice, which is slow with all deps -->
<!ENTITY glib-networking-version "2.62.1">
<!ENTITY ldns-version "1.7.1">
<!ENTITY libevent-version "2.1.11">
<!ENTITY libmnl-version "1.0.4">
<!ENTITY libnftnl-version "1.1.4">
<!ENTITY libnl-version "3.5.0">
<!ENTITY libnl-dl-version "3_5_0">
<!ENTITY libnsl-version "1.2.0">

334
postlfs/security/firewalld.xml Normal file
View File

@ -0,0 +1,334 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY firewalld-download-http "https://github.com/firewalld/firewalld/releases/download/firewalld-&firewalld-version;/firewalld-&firewalld-version;.tar.gz">
<!ENTITY firewalld-download-ftp " ">
<!ENTITY firewalld-md5sum "2549c2006def07a19b4c77ec960e5aab">
<!ENTITY firewalld-size "1.6 MB">
<!ENTITY firewalld-buildsize "26 MB">
<!ENTITY firewalld-time "0.2 SBU">
]>
<sect1 id="firewalld" xreflabel="firewalld-&firewalld-version;">
<?dbhtml filename="firewalld.html"?>
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<title>firewalld-&firewalld-version;</title>
<indexterm zone="firewalld">
<primary sortas="a-firewalld">firewalld</primary>
</indexterm>
<sect2 role="package">
<title>Introduction to firewalld</title>
<para>
The <application>firewalld</application> package provides a dynamically
managed firewall with support for network or firewall zones to define the
trust level of network connections or interfaces. It has support for
IPv4, IPv6 firewall settings and for ethernet bridges and a separation of
runtime and permanent configuration options. It also provides an
interface for services or applications to add nftables or iptables and
ebtables rules directly.
</para>
&lfs90_checked;
<bridgehead renderas="sect3">Package Information</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>
Download (HTTP): <ulink url="&firewalld-download-http;"/>
</para>
</listitem>
<listitem>
<para>
Download (FTP): <ulink url="&firewalld-download-ftp;"/>
</para>
</listitem>
<listitem>
<para>
Download MD5 sum: &firewalld-md5sum;
</para>
</listitem>
<listitem>
<para>
Download size: &firewalld-size;
</para>
</listitem>
<listitem>
<para>
Estimated disk space required: &firewalld-buildsize;
</para>
</listitem>
<listitem>
<para>
Estimated build time: &firewalld-time;
</para>
</listitem>
</itemizedlist>
<bridgehead renderas="sect3">Additional Downloads</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>
Required patch:
<ulink url="&patch-root;/firewalld-&firewalld-version;-builtin-1.patch"/>
</para>
</listitem>
</itemizedlist>
<bridgehead renderas="sect3">firewalld Dependencies</bridgehead>
<bridgehead renderas="sect4">Required</bridgehead>
<para role="required">
<xref linkend="nftables"/> or <xref linkend="iptables" role="nodump"/>,
and <xref linkend="python-slip"/>
</para>
<bridgehead renderas="sect4">Recommended</bridgehead>
<para role="recommended">
<xref linkend="DocBook"/> and <xref linkend="libxslt"/> (for building
the manual pages), and
<ulink url="https://netfilter.org/projects/ipset/index.html">ipset</ulink>
for ipset support (only when used with iptables)
</para>
<bridgehead renderas="sect4">Optional</bridgehead>
<para role="optional">
<xref linkend="qt5" role="runtime"/> (runtime only, required for
<application>fireall-applet</application>) and
<xref linkend="gtk3" role="runtime"/> (runtime only, required for
<application>fireall-config</application>)
</para>
<para condition="html" role="usernotes">User Notes:
<ulink url="&blfs-wiki;/firewalld"/>
</para>
</sect2>
<sect2 role="installation">
<title>Installation of firewalld</title>
<para>
Fix an issue with use of built-in kernel modules:
</para>
<screen><userinput>patch -Np1 -i ../firewalld-&firewalld-version;-builtin-1.patch</userinput></screen>
<para>
Install <application>firewalld</application> by
running the following commands:
</para>
<screen revision="systemd"><userinput>PYTHON=/usr/bin/python3 \
./configure --sysconfdir=/etc \
--without-ipset &amp;&amp;
make</userinput></screen>
<screen revision="sysv"><userinput>PYTHON=/usr/bin/python3 \
./configure --sysconfdir=/etc \
--without-ipset \
--disable-systemd &amp;&amp;
make</userinput></screen>
<para>
To run the testsuite, isssue the command <command>make test</command>.
</para>
<para revision="sysv">
Prevent installation of the distributed firewalld init script with the
following command:
</para>
<screen revision="sysv"><userinput>sed '/^am__append_3/,+1d' -i config/Makefile</userinput></screen>
<para>
Now, as the <systemitem class="username">root</systemitem> user:
</para>
<screen role="root"><userinput>make install</userinput></screen>
</sect2>
<sect2 role="commands">
<title>Command Explanations</title>
<para>
<parameter>--without-ipset</parameter>: This switch disables use of the
<command>ipset</command> utility. Omit if it is installed.
</para>
<para revision="sysv">
<parameter>--without-systemd</parameter>: This command prevents
installation of <application>systemd</application> services.
</para>
</sect2>
<sect2 role="configuration">
<title>Configuring firewalld</title>
<sect3 id="firewalld-conf">
<title>Config Files</title>
<para>
<filename>/etc/firewall/applet.conf</filename>,
<filename>/etc/firewalld/firewalld.conf</filename>,
and <filename>/etc/sysconfig/firewalld</filename>
</para>
<indexterm zone="firewalld firewalld-conf">
<primary sortas="e-etc-firewalld.conf">/etc/firewalld/firewalld.conf</primary>
</indexterm>
<para>
Configuration of <application>firewalld</application> is generally done
without modification of the above configuration files using the
<command>firewall-cmd</command> command. Within the above configuration
files you can set daemon behavior only. E.g.: whether runtime rules are
retained on restart, which firewall backend to use (default is
nftables), or whether to turn on debugging.
</para>
<para>
Detailed documentation is provided by the
<application>firewalld</application> developers at
<ulink url="https://firewalld.org/documentation/"/>.
</para>
</sect3>
<sect3 id="firewalld-init">
<title><phrase revision="sysv">Init Script</phrase>
<phrase revision="systemd">Systemd Unit</phrase></title>
<para revision="sysv">
If you need to run the <command>firewalld</command> daemon at system
startup, install the <filename>/etc/rc.d/init.d/firewalld</filename>
init script included in the
<xref linkend="bootscripts"/> package using the following command:
</para>
<para revision="systemd">
If you need to run the <command>firewalld</command> daemon at system
startup, enable the previously installed
<filename>firewalld.service</filename> unit with the following command:
</para>
<indexterm zone="firewalld firewalld-init">
<primary sortas="f-firewalld">firewalld</primary>
</indexterm>
<screen role="root" revision="sysv"><userinput>make install-firewalld</userinput></screen>
<screen role="root" revision="systemd"><userinput>systemctl enable firewalld</userinput></screen>
</sect3>
</sect2>
<sect2 role="content">
<title>Contents</title>
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>
firewall-applet, firewall-cmd, firewall-config, firewall-offline-cmd,
and firewalld
</seg>
<seg>
None
</seg>
<seg>
/etc/firewalld,
/etc/firewall,
/usr/lib/firewalld, and
/usr/lib/python-&python3-version;/site-packages/firewall
</seg>
</seglistitem>
</segmentedlist>
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
<varlistentry id="firewall-applet">
<term><command>firewall-applet</command></term>
<listitem>
<para>
is a tray applet using QSettings backend.
</para>
<indexterm zone="firewalld firewall-applet">
<primary sortas="b-firewall-applet">firwall-applet</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="firewall-cmd">
<term><command>firewall-cmd</command></term>
<listitem>
<para>
is the primary command line frontend.
</para>
<indexterm zone="firewalld firewall-cmd">
<primary sortas="b-firewall-cmd">firewall-cmd</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="firewall-config">
<term><command>firewall-config</command></term>
<listitem>
<para>
is a GUI configuration tool using GTK+-3.
</para>
<indexterm zone="firewalld firewall-config">
<primary sortas="b-firewall-config">firewall-config</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="firewall-offline-cmd">
<term><command>firewall-offline-cmd</command></term>
<listitem>
<para>
is a command line client used for permanent configuration while
firewalld is not running.
</para>
<indexterm zone="firewalld firewall-offline-cmd">
<primary sortas="b-firewall-offline-cmd">firewall-offline-cmd</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="firewalld-daemon">
<term><command>firewalld</command></term>
<listitem>
<para>
is the Dynamic Firewall Manager daemon.
</para>
<indexterm zone="firewalld firewalld-daemon">
<primary sortas="b-firewalld">firewalld</primary>
</indexterm>
</listitem>
</varlistentry>
</variablelist>
</sect2>
</sect1>

830
postlfs/security/firewalling.xml
View File

@ -15,727 +15,203 @@
<title>Setting Up a Network Firewall</title>
<para>Before you read this part of the chapter, you should have
already installed iptables as described in the previous section.</para>
<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
<title>Introduction to Firewall Creation</title>
<para>The general purpose of a firewall is to protect a computer or
a network against malicious access.</para>
<para>
The purpose of a firewall is to protect a computer or a network against
malicious access. In a perfect world every daemon or service, on every
machine, is perfectly configured and immune to security flaws, and all
users are trusted implicitly to use the equipment as intended. However,
this is rarely, if ever, the case. Daemons may be misconfigured, or
updates may not have been applied for known exploits against essential
services. Additionally, you may wish to choose which services are
accessible by certain machines or users, or you may wish to limit which
machines or applications are allowed external access. Alternatively, you
simply may not trust some of your applications or users. For these
reasons, a carefully designed firewall should be an essential part of
system security.
</para>
<para>In a perfect world, every daemon or service on every machine
is perfectly configured and immune to flaws such as buffer overflows
or other problems regarding its security. Furthermore, you trust
every user accessing your services. In this world, you do not need
to have a firewall.</para>
<para>In the real world however, daemons may be misconfigured and
exploits against essential services are freely available. You may
wish to choose which services are accessible by certain machines or
you may wish to limit which machines or applications are allowed
external access. Alternatively, you may simply not trust some of
your applications or users. You are probably connected to the
Internet. In this world, a firewall is essential.</para>
<para>Don't assume however, that having a firewall makes careful
configuration redundant, or that it makes any negligent
misconfiguration harmless. It doesn't prevent anyone from exploiting
a service you intentionally offer but haven't recently updated or
patched after an exploit went public. Despite having a firewall, you
need to keep applications and daemons on your system properly
configured and up to date. A firewall is not a cure all, but should
be an essential part of your overall security strategy.</para>
<para>
While a firewall can greatly limit the scope of the above issues, do not
assume that having a firewall makes careful configuration redundant, or
that any negligent misconfiguration is harmless. A firewall does not
prevent the exploitation of any service you offer outside of it. Despite
having a firewall, you need to keep applications and daemons properly
configured and up to date.
</para>
</sect2>
<sect2>
<title>Meaning of the Word "Firewall"</title>
<para>The word firewall can have several different meanings.</para>
<para>
The word firewall can have several different meanings.
</para>
<sect3>
<title><xref linkend="fw-persFw"/></title>
<title>Personal Firewall</title>
<para>This is a hardware device or software program commercially sold (or
offered via freeware) by companies such as Symantec which claims that
it secures a home or desktop computer connected to the Internet. This
type of firewall is highly relevant for users who do not know how their
computers might be accessed via the Internet or how to disable
that access, especially if they are always online and connected
via broadband links.</para>
<para>
This is a hardware device or software program, intended to secure a
home or desktop computer connected to the Internet. This type of
firewall is highly relevant for users who do not know how their
computers might be accessed via the Internet or how to disable
that access, especially if they are always online and connected
via broadband links.
</para>
<para>
An example configuration for a personal firewall is provided at
<xref linkend="fw-persFw-ipt"/>.
</para>
</sect3>
<sect3>
<title><xref linkend="fw-masqRouter"/></title>
<title>Masquerading Router</title>
<para>This is a system placed between the Internet and an intranet.
To minimize the risk of compromising the firewall itself, it should
generally have only one role&mdash;that of protecting the intranet.
Although not completely risk free, the tasks of doing the routing and
IP masquerading (rewriting IP headers of the packets it routes from
clients with private IP addresses onto the Internet so that they seem
to come from the firewall itself) are commonly considered relatively
secure.</para>
<para>
This is a system placed between the Internet and an intranet.
To minimize the risk of compromising the firewall itself, it should
generally have only one role&mdash;that of protecting the intranet.
Although not completely risk-free, the tasks of doing the routing and
IP masquerading (rewriting IP headers of the packets it routes from
clients with private IP addresses onto the Internet so that they seem
to come from the firewall itself) are commonly considered relatively
secure.
</para>
<para>
Example configurations for a masquerading firewall are provided at
<xref linkend="fw-masqRouter-ipt"/> and
<xref linkend="fw-masqRouter-nft"/>.
</para>
</sect3>
<sect3>
<title><xref linkend="fw-busybox"/></title>
<title>BusyBox</title>
<para>This is often an old computer you may have retired and nearly
forgotten, performing masquerading or routing functions, but offering
non-firewall services such as a web-cache or mail. This may be used
for home networks, but is not to be considered as secure as a firewall
only machine because the combination of server and router/firewall on
one machine raises the complexity of the setup.</para>
<para>
This is often an old computer you may have retired and nearly
forgotten, performing masquerading or routing functions, but offering
non-firewall services such as a web-cache or mail. This may be used
for home networks, but is not to be considered as secure as a firewall
only machine because the combination of server and router/firewall on
one machine raises the complexity of the setup.
</para>
<para>
An example configuration for a BusyBox is provided at
<xref linkend="fw-busybox-ipt"/>.
</para>
</sect3>
<sect3>
<title>Firewall with a Demilitarized Zone [Not Further
Described Here]</title>
<title>Firewall with a Demilitarized Zone</title>
<para>This box performs masquerading or routing, but grants public
access to some branch of your network which, because of public IPs
and a physically separated structure, is essentially a separate
network with direct Internet access. The servers on this network are
those which must be easily accessible from both the Internet and
intranet. The firewall protects both networks. This type of firewall
has a minimum of three network interfaces.</para>
<para>
This type of firewall performs masquerading or routing, but grants
public access to some branch of your network that is physically
separated from your regular intranet and is essentially a separate
network with direct Internet access. The servers on this network are
those which must be easily accessible from both the Internet and
intranet. The firewall protects both networks. This type of firewall
has a minimum of three network interfaces.
</para>
</sect3>
<sect3>
<title>Packetfilter</title>
<para>This type of firewall does routing or masquerading, but does
not maintain a state table of ongoing communication streams. It is
fast, but quite limited in its ability to block undesired packets
without blocking desired packets.</para>
<para>
This type of firewall does routing or masquerading but does
not maintain a state table of ongoing communication streams. It is
fast but quite limited in its ability to block undesired packets
without blocking desired packets.
</para>
</sect3>
</sect2>
<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
<title>Now You Can Start to Build your Firewall</title>
<caution>
<para>This introduction on how to setup a firewall is not a
complete guide to securing systems. Firewalling is a complex
issue that requires careful configuration. The scripts quoted
here are simply intended to give examples of how a firewall
works. They are not intended to fit into any particular
configuration and may not provide complete protection from
an attack.</para>
<para>Customization of these scripts for your specific situation
will be necessary for an optimal configuration, but you should
make a serious study of the iptables documentation and creating
firewalls in general before hacking away. Have a look at the
list of <xref linkend="fw-library"/> at the end of this section for
more details. There you will find a list of URLs that contain quite
comprehensive information about building your own firewall.</para>
</caution>
<para revision="sysv">The firewall configuration script installed in the
iptables section differs from the standard configuration script. It only
has two of the standard targets: start and status. The other targets are
clear and lock. For instance if you issue:</para>
<screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
<para revision="sysv">the firewall will be restarted just as it is upon
system startup. The status target will present a list of all currently
implemented rules. The clear target turns off all firewall rules and the
lock target will block all packets in and out of the computer with the
exception of the loopback interface.</para>
<para revision="sysv">The main startup firewall is located in the file
<filename>/etc/rc.d/rc.iptables</filename>. The sections below provide
three different approaches that can be used for a system.</para>
<para revision="systemd">The main startup firewall is located in the file
<filename>/etc/systemd/scripts/iptables</filename>. The sections below
provide three different approaches that can be used for a system.</para>
<note>
<para>You should always run your firewall rules from a script.
This ensures consistency and a record of what was done. It also
allows retention of comments that are essential for understanding
the rules long after they were written.</para>
</note>
<sect3 id="fw-persFw" xreflabel="Personal Firewall">
<title>Personal Firewall</title>
<para>A Personal Firewall is designed to let you access all the
services offered on the Internet, but keep your box secure and
your data private.</para>
<para>Below is a slightly modified version of Rusty Russell's
recommendation from the <ulink
url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
to the Linux 2.6 kernels.</para>
<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
<literal>#!/bin/sh
# Begin rc.iptables
# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe nf_conntrack
modprobe xt_LOG
# Enable broadcast echo Protection
echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
# Enable TCP SYN Cookie Protection
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
# Do not send Redirect Messages
echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
# Log packets with impossible addresses.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT
# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# End $rc_base/rc.iptables</literal>
EOF
chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
<literal>#!/bin/sh
# Begin /etc/systemd/scripts/iptables
# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe nf_conntrack
modprobe xt_LOG
# Enable broadcast echo Protection
echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
# Enable TCP SYN Cookie Protection
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
# Do not send Redirect Messages
echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
# Log packets with impossible addresses.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT
# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# End /etc/systemd/scripts/iptables</literal>
EOF
chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
<para>This script is quite simple, it drops all traffic coming
into your computer that wasn't initiated from your computer, but
as long as you are simply surfing the Internet you are unlikely
to exceed its limits.</para>
<para>If you frequently encounter certain delays at accessing
FTP servers, take a look at <xref linkend="fw-BB-4"/>.</para>
<para>Even if you have daemons or services running on your system,
these will be inaccessible everywhere but from your computer itself.
If you want to allow access to services on your machine, such as
<command>ssh</command> or <command>ping</command>, take a look at
<xref linkend="fw-busybox"/>.</para>
</sect3>
<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
<title>Masquerading Router</title>
<para>A true Firewall has two interfaces, one connected to an
intranet, in this example <emphasis role="strong">eth0</emphasis>,
and one connected to the Internet, here <emphasis
role="strong">ppp0</emphasis>. To provide the maximum security
for the firewall itself, make sure that there are no unnecessary
servers running on it such as <application>X11</application> et
al. As a general principle, the firewall itself should not access
any untrusted service (think of a remote server giving answers that
makes a daemon on your system crash, or even worse, that implements
a worm via a buffer-overflow).</para>
<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
<literal>#!/bin/sh
# Begin rc.iptables
echo
echo "You're using the example configuration for a setup of a firewall"
echo "from Beyond Linux From Scratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the configuration rules below."
echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo "http://www.&lfs-domainname;/blfs"
echo
# Insert iptables modules (not needed if built into the kernel).
modprobe nf_conntrack
modprobe nf_conntrack_ftp
modprobe xt_conntrack
modprobe xt_LOG
modprobe xt_state
# Enable broadcast echo Protection
echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN Cookie Protection
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send Redirect Messages
echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
# Log packets with impossible addresses.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
# Be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Allow local connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow forwarding if the initiated on the intranet
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW -j ACCEPT
# Do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
# Enable IP Forwarding
echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
EOF
chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
<literal>#!/bin/sh
# Begin /etc/systemd/scripts/iptables
echo
echo "You're using the example configuration for a setup of a firewall"
echo "from Beyond Linux From Scratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the configuration rules below."
echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo "http://www.&lfs-domainname;/blfs"
echo
# Insert iptables modules (not needed if built into the kernel).
modprobe nf_conntrack
modprobe nf_conntrack_ftp
modprobe xt_conntrack
modprobe xt_LOG
modprobe xt_state
# Enable broadcast echo Protection
echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN Cookie Protection
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send Redirect Messages
echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
# Log packets with impossible addresses.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
# Be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Allow local connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow forwarding if the initiated on the intranet
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW -j ACCEPT
# Do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
# Enable IP Forwarding
echo 1 &gt; /proc/sys/net/ipv4/ip_forward
# End /etc/systemd/scripts/iptables</literal>
EOF
chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
<para>With this script your intranet should be reasonably secure
against external attacks. No one should be able to setup a new
connection to any internal service and, if it's masqueraded,
makes your intranet invisible to the Internet. Furthermore, your
firewall should be relatively safe because there are no services
running that a cracker could attack.</para>
<note>
<para>If the interface you're connecting to the Internet
doesn't connect via PPP, you will need to change
<replaceable>&lt;ppp+&gt;</replaceable> to the name of the interface
(e.g., <emphasis role="strong">eth1</emphasis>) which you are
using.</para>
</note>
</sect3>
<sect3 id="fw-busybox" xreflabel="BusyBox">
<title>BusyBox</title>
<para>This scenario isn't too different from the <xref
linkend="fw-masqRouter"/>, but additionally offers some
services to your intranet. Examples of this can be when
you want to administer your firewall from another host on
your intranet or use it as a proxy or a name server.</para>
<note>
<para>Outlining a true concept of how to protect a server that
offers services on the Internet goes far beyond the scope of
this document. See the references at the end of this section
for more information.</para>
</note>
<para>Be cautious. Every service you have enabled makes your
setup more complex and your firewall less secure. You are
exposed to the risks of misconfigured services or running
a service with an exploitable bug. A firewall should generally
not run any extra services. See the introduction to the
<xref linkend="fw-masqRouter"/> for some more details.</para>
<para>If you want to add services such as internal Samba or
name servers that do not need to access the Internet themselves,
the additional statements are quite simple and should still be
acceptable from a security standpoint. Just add the following lines
into the script <emphasis>before</emphasis> the logging rules.</para>
<screen><literal>iptables -A INPUT -i ! ppp+ -j ACCEPT
iptables -A OUTPUT -o ! ppp+ -j ACCEPT</literal></screen>
<para>If daemons, such as squid, have to access the Internet
themselves, you could open OUTPUT generally and restrict
INPUT.</para>
<screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT</literal></screen>
<para>However, it is generally not advisable to leave OUTPUT
unrestricted. You lose any control over trojans who would like
to "call home", and a bit of redundancy in case you've
(mis-)configured a service so that it broadcasts its existence
to the world.</para>
<para>To accomplish this, you should restrict INPUT and OUTPUT
on all ports except those that it's absolutely necessary to have
open. Which ports you have to open depends on your needs: mostly
you will find them by looking for failed accesses in your log
files.</para>
<itemizedlist spacing="compact" role='iptables'>
<title>Have a Look at the Following Examples:</title>
<listitem>
<para>Squid is caching the web:</para>
<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
-j ACCEPT</literal></screen>
</listitem>
<listitem>
<para>Your caching name server (e.g., named) does its
lookups via UDP:</para>
<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
</listitem>
<listitem>
<para>You want to be able to ping your computer to
ensure it's still alive:</para>
<screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen>
</listitem>
<listitem>
<para id='fw-BB-4' xreflabel="BusyBox example number 4">If
you are frequently accessing FTP servers or enjoy chatting, you might
notice certain delays because some implementations of these daemons
have the feature of querying an identd on your system to obtain
usernames. Although there's really little harm in this, having an
identd running is not recommended because many security experts feel
the service gives out too much additional information.</para>
<para>To avoid these delays you could reject the requests
with a 'tcp-reset':</para>
<screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
</listitem>
<listitem>
<para>To log and drop invalid packets (packets
that came in after netfilter's timeout or some types of
network scans) insert these rules at the top of the chain:</para>
<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
-j LOG --log-prefix "FIREWALL:INVALID "
iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen>
</listitem>
<listitem>
<para>Anything coming from the outside should not have a
private address, this is a common attack called IP-spoofing:</para>
<screen><literal>iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen>
<para>There are other addresses that you may also want to
drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
experimental), 169.254.0.0/16 (Link Local Networks), and
192.0.2.0/24 (IANA defined test network).</para>
</listitem>
<listitem>
<para>If your firewall is a DHCP client, you need to allow
those packets:</para>
<screen><literal>iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
</listitem>
<listitem>
<para>To simplify debugging and be fair to anyone who'd like
to access a service you have disabled, purposely or by mistake,
you could REJECT those packets that are dropped.</para>
<para>Obviously this must be done directly after logging as the very
last lines before the packets are dropped by policy:</para>
<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
</listitem>
</itemizedlist>
<para>These are only examples to show you some of the capabilities
of the firewall code in Linux. Have a look at the man page of iptables.
There you will find much more information. The port numbers needed for
this can be found in <filename>/etc/services</filename>, in case you
didn't find them by trial and error in your log file.</para>
</sect3>
</sect2>
<sect2 id="fw-finale" xreflabel="Conclusion">
<sect2>
<title>Conclusion</title>
<para>Finally, there is one fact you must not forget: The effort spent
attacking a system corresponds to the value the cracker expects to gain
from it. If you are responsible for valuable information, you need to
spend the time to protect it properly.</para>
<caution>
<para>
The example configurations provided for <xref linkend="iptables"/> and
<xref linkend="nftables"/> are not intended to be a complete guide to
securing systems. Firewalling is a complex issue that requires careful
configuration. The configurations provided by BLFS are intended only to
give examples of how a firewall works. They are not intended to fit any
particular configuration and may not provide complete protection from
an attack.
</para>
</caution>
<para>
BLFS provides two utilities to manage the kernel Netfilter interface,
<xref linkend="iptables"/> and <xref linkend="nftables"/>.
</para>
<para>
<xref linkend="iptables"/> has been around since early 2.4 kernels, and
has been the standard since. If you plan not to use a configuration
utility, this is likely the set of tools that will be most familiar to
existing admins.
</para>
<para>
<xref linkend="nftables"/> is the successor to <xref linkend="iptables"/>
and provies all of the same functionality with a single userspace tool,
<command>nft</command>, that uses similar syntax to BSD's
<application>pf</application> utility, and may be easier for new users or
admins already familiar with that platform.
</para>
<para>
While both can be used in tandem, that is an advanced configuration and
you should decide on one or the other. Both pages include very simple
example configurations, and customization of the provided configurations
for your specific environment will be necessary if you elect to use
either without a configuration tool.
</para>
<para>
Additionally, a firewall management tool, <xref linkend="firewalld"/>, is
provided to greatly ease firewall configuration for both simple and
complex environments, and can be used with either tool. You should not
use the example configurations if you intend to use
<application>firewalld</application> to manage your firewall rules.
</para>
<para>
If you elect to configure manually, have a look at the
list of further reading below for more details. Here you will find a
list of URLs that contain comprehensive information about building
firewalls and further securing your system.
</para>
</sect2>
<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
<sect2 id="fw-extra-info">
<title>Extra Information</title>
<sect3 id="fw-library" xreflabel="links for further reading">
<title>Where to Start with Further Reading on Firewalls</title>
<sect3>
<title>Further Reading on Firewalls</title>
<blockquote>
<literallayout>
<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables/nftables projects</ulink>
<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
<ulink url="https://wiki.nftables.org/wiki-nftables/index.php/Main_Page">nftables HOWTO</ulink>
<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
@ -752,20 +228,6 @@ iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen>
</literallayout>
</blockquote>
<!-- The following are all dead links from the section above. They are
moved out of the section so the literallayout won't produce blank
lines in the rendered text
<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
-->
</sect3>
</sect2>

692
postlfs/security/iptables.xml
View File

@ -12,7 +12,7 @@
<!ENTITY iptables-time "0.2 SBU">
]>
<sect1 id="iptables" xreflabel="Iptables-&iptables-version;">
<sect1 id="iptables" xreflabel="iptables-&iptables-version;">
<?dbhtml filename="iptables.html"?>
<sect1info>
@ -20,20 +20,18 @@
<date>$Date$</date>
</sect1info>
<title>Iptables-&iptables-version;</title>
<title>iptables-&iptables-version;</title>
<indexterm zone="iptables">
<primary sortas="a-Iptables">Iptables</primary>
<primary sortas="a-iptables">iptables</primary>
</indexterm>
<sect2 role="package">
<title>Introduction to Iptables</title>
<title>Introduction to iptables</title>
<para>
The next part of this chapter deals with firewalls. The principal
firewall tool for Linux is <application>Iptables</application>. You will
need to install <application>Iptables</application> if you intend on using
any form of a firewall.
<application>iptables</application> is a userspace command line program
used to configure Linux 2.4 and later kernel packet filtering ruleset.
</para>
&lfs90_checked;
@ -72,11 +70,11 @@
</listitem>
</itemizedlist>
<bridgehead renderas="sect3">Iptables Dependencies</bridgehead>
<bridgehead renderas="sect3">iptables Dependencies</bridgehead>
<bridgehead renderas="sect4">Optional</bridgehead>
<para role="optional">
<ulink url="http://www.netfilter.org/projects/nftables/index.html">nftables</ulink>
<xref linkend="nftables"/>
</para>
@ -89,24 +87,30 @@
<title>Kernel Configuration</title>
<para>
A firewall in Linux is accomplished through a portion of the
kernel called netfilter. The interface to netfilter is
<application>Iptables</application>. To use it, the appropriate
kernel configuration parameters are found in:
A firewall in Linux is accomplished through the netfilter interface. To
use <application>iptables</application> to configure netfilter, the
following kernel configuration parameters are required:
</para>
<screen><literal>[*] Networking support ---&gt; [CONFIG_NET]
Networking Options ---&gt;
[*] Network packet filtering framework (Netfilter) ---&gt; [CONFIG_NETFILTER]</literal></screen>
[*] Network packet filtering framework (Netfilter) ---&gt; [CONFIG_NETFILTER]
Core Netfilter Configuration ---&gt;</literal></screen>
<para>
Include any connection tracking protocols that will be used, as well as
any protocols that you wish to use for match suppport under the
"Core Netfilter Configuration" section.
</para>
<indexterm zone="iptables iptables-kernel">
<primary sortas="d-iptables">Iptables</primary>
<primary sortas="d-iptables">iptables</primary>
</indexterm>
</sect2>
<sect2 role="installation">
<title>Installation of Iptables</title>
<title>Installation of iptables</title>
<note>
<para>
@ -118,20 +122,13 @@
how to change the <parameter>KERNEL_DIR=</parameter> parameter to point
at the <application>Linux</application> source code. Note that if you
upgrade the kernel version, you may also need to recompile
<application>Iptables</application> and that the BLFS team has not tested
using the raw kernel headers.
</para>
<para>
For some non-x86 architectures, the raw kernel headers may be
required. In that case, modify the <parameter>KERNEL_DIR=</parameter>
parameter to point at the <application>Linux</application> source
code.
<application>iptables</application> and that the BLFS team has not
tested using the raw kernel headers.
</para>
</note>
<para>
Install <application>Iptables</application> by running the following
Install <application>iptables</application> by running the following
commands:
</para>
@ -142,9 +139,13 @@
--with-xtlibdir=/lib/xtables &amp;&amp;
make</userinput></screen>
<para>This package does not come with a test suite.</para>
<para>
This package does not come with a test suite.
</para>
<para>Now, as the <systemitem class="username">root</systemitem> user:</para>
<para>
Now, as the <systemitem class="username">root</systemitem> user:
</para>
<screen role="root"><userinput>make install &amp;&amp;
ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml &amp;&amp;
@ -162,7 +163,8 @@ done</userinput></screen>
<para>
<parameter>--disable-nftables</parameter>: This switch disables building
nftables compat. Omit this switch if you have installed nftables.
nftables compat. Omit this switch if you have installed
<xref linkend="nftables"/>.
</para>
<para>
@ -173,7 +175,7 @@ done</userinput></screen>
<para>
<parameter>--with-xtlibdir=/lib/xtables</parameter>: Ensure all
<application>Iptables</application> modules are installed in the
<application>iptables</application> modules are installed in the
<filename class="directory">/lib/xtables</filename> directory.
</para>
@ -190,12 +192,630 @@ done</userinput></screen>
</sect2>
<sect2 role="configuration">
<title>Configuring Iptables</title>
<title>Configuring iptables</title>
<para>
Introductory instructions for configuring your firewall are
presented in the next section: <xref linkend="fw-firewall"/>
</para>
<note>
<para>
If you intend to use <xref linkend="firewalld"/> to configure your
firewall rules, you should not use the example configurations provided
here, nor should you enable the
<phrase revision="sysv">bootscript</phrase>
<phrase revision="systemd">systemd unit</phrase>.
</para>
</note>
<note>
<para>
In the follwoing example configurations, <emphasis
role="strong">LAN1</emphasis> is used for the internal LAN interface,
and <emphasis role="strong">WAN1</emphasis> is used for the external
interace connected to the internet. You will need to replace these
values with appropriate interface names for your system.
</para>
</note>
<sect3 id="fw-persFw-ipt"
xreflabel="Creating a Personal Firewall With iptables">
<title>Personal Firewall</title>
<para>
A Personal Firewall is designed to let you access all the
services offered on the Internet, but keep your box secure and
your data private.
</para>
<para>
Below is a slightly modified version of Rusty Russell's
recommendation from the <ulink
url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
to the Linux 3.x kernels.
</para>
<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
<literal>#!/bin/sh
# Begin rc.iptables
# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe nf_conntrack
modprobe xt_LOG
# Enable broadcast echo Protection
echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
# Enable TCP SYN Cookie Protection
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
# Do not send Redirect Messages
echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
# Log packets with impossible addresses.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT
# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# End $rc_base/rc.iptables</literal>
EOF
chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
<literal>#!/bin/sh
# Begin /etc/systemd/scripts/iptables
# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe nf_conntrack
modprobe xt_LOG
# Enable broadcast echo Protection
echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
# Enable TCP SYN Cookie Protection
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
# Do not send Redirect Messages
echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
# Log packets with impossible addresses.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT
# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# End /etc/systemd/scripts/iptables</literal>
EOF
chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
<para>
This script is quite simple, it drops all traffic coming
into your computer that wasn't initiated from your computer, but
as long as you are simply surfing the Internet you are unlikely
to exceed its limits.
</para>
<para>
If you frequently encounter certain delays at accessing
FTP servers, take a look at <xref linkend="fw-BB-4-ipt"/>.
</para>
<para>
Even if you have daemons or services running on your system,
these will be inaccessible everywhere but from your computer itself.
If you want to allow access to services on your machine, such as
<command>ssh</command> or <command>ping</command>, take a look at
<xref linkend="fw-busybox-ipt"/>.
</para>
</sect3>
<sect3 id="fw-masqRouter-ipt"
xreflabel="Creating a Masquerading Router With iptables">
<title>Masquerading Router</title>
<para>
A network Firewall has two interfaces, one connected to an
intranet, in this example <emphasis role="strong">LAN1</emphasis>,
and one connected to the Internet, here <emphasis
role="strong">WAN1</emphasis>. To provide the maximum security
for the firewall itself, make sure that there are no unnecessary
servers running on it such as <application>X11</application> et al.
As a general principle, the firewall itself should not access
any untrusted service (think of a remote server giving answers that
makes a daemon on your system crash, or even worse, that implements
a worm via a buffer-overflow).
</para>
<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
<literal>#!/bin/sh
# Begin rc.iptables
echo
echo "You're using the example configuration for a setup of a firewall"
echo "from Beyond Linux From Scratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the configuration rules below."
echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo "http://www.&lfs-domainname;/blfs"
echo
# Insert iptables modules (not needed if built into the kernel).
modprobe nf_conntrack
modprobe nf_conntrack_ftp
modprobe xt_conntrack
modprobe xt_LOG
modprobe xt_state
# Enable broadcast echo Protection
echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN Cookie Protection
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send Redirect Messages
echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
# Log packets with impossible addresses.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
# Be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Allow local connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow forwarding if the initiated on the intranet
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT
# Do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE
# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
# Enable IP Forwarding
echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
EOF
chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
<literal>#!/bin/sh
# Begin /etc/systemd/scripts/iptables
echo
echo "You're using the example configuration for a setup of a firewall"
echo "from Beyond Linux From Scratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the configuration rules below."
echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo "http://www.&lfs-domainname;/blfs"
echo
# Insert iptables modules (not needed if built into the kernel).
modprobe nf_conntrack
modprobe nf_conntrack_ftp
modprobe xt_conntrack
modprobe xt_LOG
modprobe xt_state
# Enable broadcast echo Protection
echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN Cookie Protection
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send Redirect Messages
echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
# Log packets with impossible addresses.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
# Be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Allow local connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow forwarding if the initiated on the intranet
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT
# Do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE
# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
# Enable IP Forwarding
echo 1 &gt; /proc/sys/net/ipv4/ip_forward
# The following sections allow inbound packets for specific examples
# Uncomment the example lines and adjust as necessary
# Allow ping on the external interface
#iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
#iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Reject ident packets with TCP reset to avoid delays with FTP or IRC
#iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
# Allow HTTP and HTTPS to 192.168.0.2
#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2
#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2
#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT
#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT
# End /etc/systemd/scripts/iptables</literal>
EOF
chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
<para>
With this script your intranet should be reasonably secure
against external attacks. No one should be able to setup a new
connection to any internal service and, if it's masqueraded,
makes your intranet invisible to the Internet. Furthermore, your
firewall should be relatively safe because there are no services
running that a cracker could attack.
</para>
</sect3>
<sect3 id="fw-busybox-ipt" xreflabel="Creating a BusyBox With iptables">
<title>BusyBox</title>
<para>
This scenario isn't too different from the <xref
linkend="fw-masqRouter-ipt"/>, but additionally offers some
services to your intranet. Examples of this can be when
you want to administer your firewall from another host on
your intranet or use it as a proxy or a name server.
</para>
<note>
<para>
Outlining specifically how to protect a server that
offers services on the Internet goes far beyond the scope of
this document. See the references in <xref linkend="fw-extra-info"/>
for more information.
</para>
</note>
<para>
Be cautious. Every service you have enabled makes your
setup more complex and your firewall less secure. You are
exposed to the risks of misconfigured services or running
a service with an exploitable bug. A firewall should generally
not run any extra services. See the introduction to the
<xref linkend="fw-masqRouter-ipt"/> for some more details.
</para>
<para>
If you want to add services such as internal Samba or
name servers that do not need to access the Internet themselves,
the additional statements are quite simple and should still be
acceptable from a security standpoint. Just add the following lines
into the script <emphasis>before</emphasis> the logging rules.
</para>
<screen><literal>iptables -A INPUT -i ! WAN1 -j ACCEPT
iptables -A OUTPUT -o ! WAN1 -j ACCEPT</literal></screen>
<para>
If daemons, such as squid, have to access the Internet
themselves, you could open OUTPUT generally and restrict
INPUT.
</para>
<screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT</literal></screen>
<para>
However, it is generally not advisable to leave OUTPUT
unrestricted. You lose any control over trojans who would like
to "call home", and a bit of redundancy in case you've
(mis-)configured a service so that it broadcasts its existence
to the world.
</para>
<para>
To accomplish this, you should restrict INPUT and OUTPUT
on all ports except those that it's absolutely necessary to have
open. Which ports you have to open depends on your needs: mostly
you will find them by looking for failed accesses in your log
files.
</para>
<itemizedlist spacing="compact" role='iptables'>
<title>Have a Look at the Following Examples:</title>
<listitem>
<para>
Squid is caching the web:
</para>
<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
-j ACCEPT</literal></screen>
</listitem>
<listitem>
<para>
Your caching name server (e.g., named) does its lookups via UDP:
</para>
<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
</listitem>
<listitem>
<para>
You want to be able to ping your computer to ensure it's still
alive:
</para>
<screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen>
</listitem>
<listitem>
<para id='fw-BB-4-ipt' xreflabel="BusyBox with iptable example number 4">
If you are frequently accessing FTP servers or enjoy chatting, you
might notice delays because some implementations of these daemons
query an identd daemon on your system to obtain usernames. Although
there's really little harm in this, having an identd running is not
recommended because many security experts feel the service gives
out too much additional information.
</para>
<para>
To avoid these delays you could reject the requests with a
'tcp-reset' response:
</para>
<screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
</listitem>
<listitem>
<para>
To log and drop invalid packets (packets
that came in after netfilter's timeout or some types of
network scans) insert these rules at the top of the chain:
</para>
<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
-j LOG --log-prefix "FIREWALL:INVALID "
iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen>
</listitem>
<listitem>
<para>
Anything coming from the outside should not have a
private address, this is a common attack called IP-spoofing:
</para>
<screen><literal>iptables -A INPUT -i WAN1 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i WAN1 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i WAN1 -s 192.168.0.0/16 -j DROP</literal></screen>
<para>
There are other addresses that you may also want to drop:
0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
experimental), 169.254.0.0/16 (Link Local Networks), and
192.0.2.0/24 (IANA defined test network).
</para>
</listitem>
<listitem>
<para>
If your firewall is a DHCP client, you need to allow those packets:
</para>
<screen><literal>iptables -A INPUT -i WAN1 -p udp -s 0.0.0.0 --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
</listitem>
<listitem>
<para>
To simplify debugging and be fair to anyone who'd like
to access a service you have disabled, purposely or by mistake,
you could REJECT those packets that are dropped.
</para>
<para>
Obviously this must be done directly after logging as the very
last lines before the packets are dropped by policy:
</para>
<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
</listitem>
</itemizedlist>
<para>
These are only examples to show you some of the capabilities
of the firewall code in Linux. Have a look at the man page of iptables.
There you will find much more information. The port numbers needed for
this can be found in <filename>/etc/services</filename>, in case you
didn't find them by trial and error in your log file.
</para>
</sect3>
<sect3 id="iptables-init">
<title><phrase revision="sysv">Boot Script</phrase>

427
postlfs/security/nftables.xml Normal file
View File

@ -0,0 +1,427 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY nftables-download-http "https://netfilter.org/projects/nftables/files/nftables-&nftables-version;.tar.bz2">
<!ENTITY nftables-download-ftp " ">
<!ENTITY nftables-md5sum "dfe130724d7c998eb26b56447e932899">
<!ENTITY nftables-size "764 KB">
<!ENTITY nftables-buildsize "31 MB">
<!ENTITY nftables-time "0.2 SBU">
]>
<sect1 id="nftables" xreflabel="nftables-&nftables-version;">
<?dbhtml filename="nftables.html"?>
<sect1info>
<othername>$LastChangedBy: $</othername>
<date>$Date: $</date>
</sect1info>
<title>nftables-&nftables-version;</title>
<indexterm zone="nftables">
<primary sortas="a-nftables">nftables</primary>
</indexterm>
<sect2 role="package">
<title>Introduction to nftables</title>
<para>
The <application>nftables</application> package, intended to be the
successor to <xref linkend="iptables"/>, provides a low-level netlink
programming interface (API), and userspace uitlities for the in-kernel
nf_tables subsystem.
</para>
&lfs90_checked;
<bridgehead renderas="sect3">Package Information</bridgehead>
<itemizedlist spacing='compact'>
<listitem>
<para>
Download (HTTP): <ulink url="&nftables-download-http;"/>
</para>
</listitem>
<listitem>
<para>
Download (FTP): <ulink url="&nftables-download-ftp;"/>
</para>
</listitem>
<listitem>
<para>
Download MD5 sum: &nftables-md5sum;
</para>
</listitem>
<listitem>
<para>
Download size: &nftables-size;
</para>
</listitem>
<listitem>
<para>
Estimated disk space required: &nftables-buildsize;
</para>
</listitem>
<listitem>
<para>
Estimated build time: &nftables-time;
</para>
</listitem>
</itemizedlist>
<bridgehead renderas="sect3">nftables Dependencies</bridgehead>
<bridgehead renderas="sect4">Required</bridgehead>
<para role="required">
<xref linkend="libnftnl"/>
</para>
<bridgehead renderas="sect4">Optional</bridgehead>
<para role="optional">
<xref linkend="iptables"/>,
<xref linkend="jansson"/>, and
<xref linkend="docbook-utils"/>
</para>
<bridgehead renderas="sect4">Optional (runtime)</bridgehead>
<para role="optional">
<ulink url="https://netfilter.org/projects/conntrack-tools/index.html">
contrack-tools</ulink>
<ulink url="https://netfilter.org/projects/nfacct/index.html">
nfacct</ulink>
<ulink url="https://netfilter.org/projects/ulogd/index.html">
ulogd</ulink>
</para>
<para condition="html" role="usernotes">User Notes:
<ulink url="&blfs-wiki;/nftables"/>
</para>
</sect2>
<sect2 role="kernel">
<title>Kernel Configuration</title>
<para>
Enable the following options in the kernel configuration and recompile the
kernel if necessary (add any additional nf_tables features as needed):
</para>
<screen><literal>[*] Networking support [CONFIG_NET] ---&gt;
Networking options ---&gt;
[*] Network packet filtering framework (Netfilter) [CONFIG_NETFILTER] ---&gt;
Core Netfilter Configuration ---&gt;
&lt;*&gt; * protocol support [CONFIG_NF_CONNTRACK_*]
&lt;*&gt; Netfilter nf_tables support [CONFIG_NF_TABLES]
[*] Netfilter nf_tables * support [CONFIG_NF_TABLES_*]</literal></screen>
<para>
Include any connection tracking protocols that will be used, and
any protocols that you wish to use for match suppport under the
"Core Netfilter Configuration" section. Additionally, include any
"Netfilter nf_tables * module" that will be used under the
"Netfilter nf_tables support" section.
</para>
</sect2>
<sect2 role="installation">
<title>Installation of nftables</title>
<para>
Install <application>nftables</application> by running the following
commands:
</para>
<screen><userinput>./configure --prefix=/usr \
--sbindir=/sbin \
--sysconfdir=/etc \
--with-python-bin=/usr/bin/python3 &amp;&amp;
make</userinput></screen>
<para>
This package does not come with a test suite.
</para>
<para>
Now, as the <systemitem class="username">root</systemitem> user:
</para>
<screen role="root"><userinput>make install &amp;&amp;
mv /usr/lib/nftables.so.* /lib &amp;&amp;
ln -sfv ../../lib/$(readlink /usr/lib/nftables.so) /usr/lib/nftables.so</userinput></screen>
</sect2>
<sect2 role="commands">
<title>Command Explanations</title>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../xincludes/static-libraries.xml"/>
<para>
<parameter>--with-python-bin=/usr/bin/python3</parameter>: force use of
<application>Python3</application>.
</para>
<para>
<option>--enable-man-doc</option>: build man pages if
<xref linkend="docbook-utils"/> is installed.
</para>
<para>
<parameter>--with-json</parameter>: build with support for JSON output if
<xref linkend="jansson"/> is available.
</para>
<para>
<parameter>--with-xtables</parameter>: build with
<xref linkend="iptables"/> libxtables support.
</para>
<para>
<command>mv -v /usr/lib/nftables.so.* ...</command>: Move shared
libraries into /lib so they are available before /usr is mounted.
</para>
</sect2>
<sect2 role="configuration">
<title>Configuring nftables</title>
<note>
<para>
If you intend to use <xref linkend="firewalld"/> to configure your
firewall rules, you should not use the example configuration provided
here, nor should you enable the
<phrase revision="sysv">bootscript</phrase>
<phrase revision="systemd">systemd unit</phrase>.
</para>
</note>
<sect3 id="fw-masqRouter-nft"
xreflabel="Creating a Masquerading Router With nftables">
<title>Masquerading Router</title>
<para>
A network Firewall has two interfaces, one connected to an
intranet, in this example <emphasis role="strong">LAN1</emphasis>,
and one connected to the Internet, here <emphasis
role="strong">WAN1</emphasis>. You will need to adjust these value to
match your particular system. To provide the maximum security
for the firewall itself, make sure that there are no unnecessary
servers running on it such as <application>X11</application> et al.
As a general principle, the firewall itself should not access
any untrusted service (think of a remote server giving answers that
makes a daemon on your system crash, or even worse, that implements
a worm via a buffer-overflow).
</para>
<note>
<para>
In the follwoing example configuration, <emphasis
role="strong">LAN1</emphasis> is used for the internal LAN interface,
and <emphasis role="strong">WAN1</emphasis> is used for the external
interace connected to the internet. You will need to replace these
values with appropriate interface names for your system.
</para>
</note>
<screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/nftables/nftables.conf &lt;&lt; "EOF"
<literal>#!/sbin/nft -f
# You're using the example configuration for a setup of a firewall
# from Beyond Linux From Scratch.
#
# This example is far from being complete, it is only meant
# to be a reference.
#
# Firewall security is a complex issue, that exceeds the scope
# of the configuration rules below.
#
# You can find additional information
# about firewalls in Chapter 4 of the BLFS book.
# http://www.&lfs-domainname;/blfs
# Drop all existing rules
flush ruleset
# Filter for both ip4 and ip6 (inet)
table inet filter {
# filter incomming packets
chain input {
# Drop everything that doesn't match policy
type filter hook input priority 0; policy drop;
# accept packets for established connections
ct state { established, related } accept
# Drop packets that have a connection state of invalid
ct state invalid drop
# Allow connections to the loopback adapter
iifname "lo" accept
# Allow connections to the LAN1 interface
iifname "LAN1" accept
# Accept icmp requests
ip protocol icmp accept
# Allow ssh connections on LAN1
iifname "LAN1" tcp dport ssh accept
# Drop everything else
drop
}
# Allow forwarding for external connections to WAN1
chain forward {
# Drop if it doesn't match policy
type filter hook forward priority 0; policy drop;
# Accept connections on WAN1
oifname "WAN1" accept
# Allow forwarding to another host via this interface
# Uncomment the following line to allow connections
# ip daddr 192.168.0.2 ct status dnat accept
# Allow established and related connections
iifname "WAN1" ct state { established, related } accept
}
# Filter output traffic
chain output {
# Allow everything outbound
type filter hook output priority 0; policy accept;
}
}
# Allow NAT for ip protocol (both ip4 and ip6)
table ip nat {
chain prerouting {
# Accept on inbound interace for policy match
type nat hook prerouting priority 0; policy accept;
# Accept http and https on 192.168.0.2
# Uncomment the following line to allow http and https
#iifname "WAN1" tcp dport { http, https } dnat to 192.168.0.2
}
chain postrouting {
# accept outbound
type nat hook postrouting priority 0; policy accept;
# Masquerade on WAN1 outbound
oifname "WAN1" masquerade
}
}</literal>
EOF</userinput></screen>
<para>
With this configuration your intranet should be reasonably secure
against external attacks. No one should be able to setup a new
connection to any internal service not configured above.
</para>
<para>
There are several other examples in the
<filename class="directory">/etc/nftables</filename> directory.
</para>
</sect3>
<sect3 id="nftables-init">
<title><phrase revision="sysv">Boot Script</phrase>
<phrase revision="systemd">Systemd Unit</phrase></title>
<para revision="sysv">
To set up the nftables firewall at boot, install the
<filename>/etc/rc.d/init.d/nftables</filename> init script included
in the <xref linkend="bootscripts"/> package.
</para>
<para revision="systemd">
To set up the nftables firewall at boot, install the
<filename>nftables.service</filename> unit included in the
<xref linkend="systemd-units"/> package.
</para>
<indexterm zone="nftables nftables-init">
<primary sortas="f-nftables">nftables</primary>
</indexterm>
<screen role="root"><userinput>make install-nftables</userinput></screen>
</sect3>
</sect2>
<sect2 role="content">
<title>Contents</title>
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>
nft
</seg>
<seg>
libnftables.{a,so}
</seg>
<seg>
/etc/nftables
</seg>
</seglistitem>
</segmentedlist>
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
<varlistentry id="nft">
<term><filename>nft</filename></term>
<listitem>
<para>
command line interface for the nf_tables subsystem.
</para>
<indexterm zone="nftables nft">
<primary sortas="a-nft">nft</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="libnftables">
<term><filename class="libraryfile">libnftables.{a,so}</filename></term>
<listitem>
<para>
provides functions for manipulating the nf_tables subsystem.
</para>
<indexterm zone="nftables libnftables">
<primary sortas="c-libnftables">libnftables.so</primary>
</indexterm>
</listitem>
</varlistentry>
</variablelist>
</sect2>
</sect1>

6
postlfs/security/security.xml
View File

@ -53,8 +53,6 @@ $Date$
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnutls.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gpgme.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="haveged.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libcap.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="linux-pam.xml"/>
@ -76,5 +74,9 @@ $Date$
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="sudo.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="tripwire.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="volume_key.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nftables.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalld.xml"/>
</chapter>